Security Alert

Original date: 27.11.2018
Overall risk classification: HIGH

Overview

The npm package event-stream (in version 3.3.6) contains a dependency to a malicious package named flatmap-stream. [1-2]
The event-stream package is very popular and the malicious child package has been downloaded 8 million times since it is included in event-stream [2].
According to Andreas Brieg A12 BAP is using this package in the affected version. A12-Ticket: A12-10520
If you are using npm, it is highly recommended to review whether you employ the malicious package and take appropriate countermeasures, if so.

Systems Affected

npm package event-stream version 3.3.6
any version of npm package flatmap-stream
Check for flatmap-stream@0.1.1 in your dependencies:

$ npm ls event-stream flatmap-stream
...
flatmap-stream@0.1.1
...

Threat

Risk: HIGH
If your project uses this malicious version, future builds will fail (malicious version is removed). Builds created before with this malicious version will probably contain the malicious code and potentially execute it.
The malicious code is apparently focusing on stealing bitcoins from the application [1].
Exploitability: MEDIUM
The malicious code is probably included and executed in your application if you have built it with the affected version.
If your application handles bitcoins or other crypto-currencies, the activity in the last 3 months should be inspected for suspicious behaviour.
Priority (for affected, internet-exposed systems): MEDIUM
Priority (for internal systems): MEDIUM

Mitigation

Eliminate the malicious package from your application, by reverting back to version 3.3.4 of event-stream [1].
Decide whether further actions should be taken.

Author

Martin Schöne

References

[1] https://github.com/dominictarr/event-stream/issues/116
[2] https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream